.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "AA-STATUS 8" .TH AA-STATUS 8 2024-03-25 "AppArmor 3.0.13" AppArmor .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME aa\-status \- display various information about the current AppArmor policy. .SH SYNOPSIS .IX Header "SYNOPSIS" \&\fBaa-status\fR [option] .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBaa-status\fR will report various aspects of the current state of AppArmor confinement. By default, it displays the same information as if the \fI\-\-verbose\fR argument were given. A sample of what this looks like is: .PP .Vb 8 \& apparmor module is loaded. \& 110 profiles are loaded. \& 102 profiles are in enforce mode. \& 8 profiles are in complain mode. \& Out of 129 processes running: \& 13 processes have profiles defined. \& 8 processes have profiles in enforce mode. \& 5 processes have profiles in complain mode. .Ve .PP Other argument options are provided to report individual aspects, to support being used in scripts. .SH OPTIONS .IX Header "OPTIONS" \&\fBaa-status\fR accepts only one argument at a time out of: .IP \-\-enabled 4 .IX Item "--enabled" returns error code if AppArmor is not enabled. .IP \-\-profiled 4 .IX Item "--profiled" displays the number of loaded AppArmor policies. .IP \-\-enforced 4 .IX Item "--enforced" displays the number of loaded enforcing AppArmor policies. .IP \-\-complaining 4 .IX Item "--complaining" displays the number of loaded non-enforcing AppArmor policies. .IP \-\-kill 4 .IX Item "--kill" displays the number of loaded enforcing AppArmor policies that will kill tasks on policy violations. .IP \-\-special\-unconfined 4 .IX Item "--special-unconfined" displays the number of loaded non-enforcing AppArmor policies that are in the special unconfined mode. .IP "\-\-process\-mixed displays the number of processes confined by profile stacks with profiles in different modes." 4 .IX Item "--process-mixed displays the number of processes confined by profile stacks with profiles in different modes." .PD 0 .IP \-\-verbose 4 .IX Item "--verbose" .PD displays multiple data points about loaded AppArmor policy set (the default action if no arguments are given). .IP \-\-json 4 .IX Item "--json" displays multiple data points about loaded AppArmor policy set in a JSON format, fit for machine consumption. .IP \-\-pretty\-json 4 .IX Item "--pretty-json" same as \-\-json, formatted to be readable by humans as well as by machines. .IP \-\-help 4 .IX Item "--help" displays a short usage statement. .SH "EXIT STATUS" .IX Header "EXIT STATUS" Upon exiting, \fBaa-status\fR will set its exit status to the following values: .IP \fB0\fR 4 .IX Item "0" if apparmor is enabled and policy is loaded. .IP \fB1\fR 4 .IX Item "1" if apparmor is not enabled/loaded. .IP \fB2\fR 4 .IX Item "2" if apparmor is enabled but no policy is loaded. .IP \fB3\fR 4 .IX Item "3" if the apparmor control files aren't available under /sys/kernel/security/. .IP \fB4\fR 4 .IX Item "4" if the user running the script doesn't have enough privileges to read the apparmor control files. .IP \fB42\fR 4 .IX Item "42" if an internal error occurred. .SH BUGS .IX Header "BUGS" \&\fBaa-status\fR must be run as root to read the state of the loaded policy from the apparmor module. It uses the /proc filesystem to determine which processes are confined and so is susceptible to race conditions. .PP If you find any additional bugs, please report them at . .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBapparmor\fR\|(7), \fBapparmor.d\fR\|(5), and .